P
US11146569B1ActiveUtilityPatentIndex 92

Escalation-resistant secure network services using request-scoped authentication information

Assignee: AMAZON TECH INCPriority: Jun 28, 2018Filed: Jun 28, 2018Granted: Oct 12, 2021
Est. expiryJun 28, 2038(~12 yrs left)· nominal 20-yr term from priority
Inventors:BROOKER MARC JOHNNAIR AJAYMACCÁRTHAIGH COLM
H04L 63/105H04L 63/0807G06F 2009/45587G06F 9/45558G06F 9/445G06F 21/629G06F 21/335
92
PatentIndex Score
40
Cited by
943
References
14
Claims

Abstract

Systems and methods are described for providing escalation-resistant network-accessible services by providing the service through a set of service instances, each executing in an environment with privileges scoped based on a user requesting to access the service. Each service instance can be implemented by code on a serverless code system, executed in response to a user request to access the service. Because the code is executed in an environment with privileges scoped to those of a requesting user, the code itself need not attempt to limit the privileges or a requesting user. For that reason, potential for privilege escalations of the service are reduced, even if vulnerabilities in the code might otherwise allow for such escalations.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system to implement privilege-escalation-resistant service instances via execution of a code on an on-demand code execution system, wherein executions of the code implement instances of a network-accessible service, the system comprising:
 a physical data store storing the code; and 
 one or more computing devices configured with specific computer-executable instructions to:
 receive transmissions corresponding to interactions with the network-accessible service, wherein each transmission includes authentication information of a user interacting with the network-accessible service, and wherein each user is associated with privileges denoting actions on the network-accessible service allowed to be taken by the user; 
 for each transmission corresponding to an interaction with the network-accessible service:
 generate a virtualized execution environment with privileges scoped to privileges of the user interacting with the network-accessible service at least partly by limiting the virtualized execution environment based on the authentication information included within the transmission corresponding to the interaction with the network-accessible service; and 
 execute the code within the virtualized execution environment to provide a privilege-escalation-resistant instance of the network-accessible service with privileges scoped to the privileges of the user interacting with the network-accessible service, wherein the instance of the network-accessible service processes the transmission to conduct the interactions; 
 
 
 wherein, for at least a second transmission of the transmissions, generating the virtualized execution environment comprises:
 removing the authentication information of a user corresponding to a prior transmission from the virtualized execution environment; and 
 provisioning the virtualized execution environment with the authentication information of a user corresponding to the second transmission. 
 
 
     
     
       2. The system of  claim 1 , wherein the virtualized execution environment is at least one of a software container or a virtual machine instance. 
     
     
       3. The system of  claim 1 , wherein the one or more computing devices are further configured with specific computer-executable instructions to delete the virtualized execution environment subsequent to the execution of the code. 
     
     
       4. The system of  claim 1 , wherein the authentication information is an authentication token obtained by an authentication service. 
     
     
       5. A computer-implemented method comprising:
 receiving transmissions corresponding to interactions with a network-accessible service, wherein network-accessible service is implemented via execution of code on an on-demand code execution system, wherein each transmission includes authentication information of a user interacting with the network-accessible service, and wherein each user is associated privileges denoting actions on the network-accessible service allowed to be taken by the user; 
 for each transmission corresponding to an interaction with the network-accessible service:
 generating a virtualized execution environment on the on-demand code execution system with privileges scoped to privileges of the user interacting with the network-accessible service at least partly by limiting the virtualized execution environment to the authentication information included within the transmission corresponding to the interaction with the network-accessible service; and 
 executing the code within the virtualized execution environment to provide an instance of the network-accessible service with privileges scoped to the privileges of the user interacting with the network-accessible service, wherein the instance of the network-accessible service processes the transmission to conduct the interaction; 
 
 wherein, for at least a second transmission of the transmissions, generating the virtualized execution environment comprises:
 removing the authentication information of a user corresponding to a prior transmission from the virtualized execution environment; and 
 provisioning the virtualized execution environment with the authentication information of a user corresponding to the second transmission. 
 
 
     
     
       6. The computer-implemented method of  claim 5 , wherein generating the virtualized execution environment on the on-demand code execution system with privileges scoped to privileges of the user interacting with the network-accessible service includes restricting the virtualized execution environment to the actions on the network-accessible service allowed to be taken by the user. 
     
     
       7. The computer-implemented method of  claim 6 , wherein restricting the virtualized execution environment to the actions on the service allowed to be taken by the user includes implementing at least one restriction for the virtualized execution environment on a host computing device hosting the virtualized execution environment. 
     
     
       8. The computer-implemented method of  claim 5 , wherein each user is associated with privileges denoting actions on the network-accessible service allowed to be taken by the user at least partly based on pre-established authorizations for the user. 
     
     
       9. The computer-implemented method of  claim 5 , further comprising, at a host computing device hosting the execution environment:
 determining authorizations indicating services to which the virtualized execution environment can issue calls; 
 detecting a call generated by an execution of the code within the virtualized execution environment; and 
 modifying the call to exclude at least a portion of the authentication information associated with a service not indicated within the authorizations. 
 
     
     
       10. Non-transitory computer-readable media comprising instructions executable on a computing system to:
 receive transmissions corresponding to interactions with a network-accessible service, wherein network-accessible service is implemented via execution of code on an on-demand code execution system, wherein each transmission identifies authentication information of a user interacting with the network-accessible service, and wherein each user is associated privileges denoting actions on the network-accessible service allowed to be taken by the user; 
 for each transmission corresponding to an interaction with the network-accessible service:
 generate a virtualized execution environment on the on-demand code execution system with privileges scoped to privileges of the user interacting with the network-accessible the service at least partly by limiting the virtualized execution environment to the authentication information included within the transmission corresponding to the interaction with the network-accessible service; and 
 execute the code within the virtualized execution environment to provide an instance of the network-accessible service with privileges scoped to the privileges of the user interacting with the network-accessible service, wherein the instance of the network-accessible service processes the transmission to conduct the interaction; 
 
 wherein, for at least a second transmission of the transmissions, generating the virtualized execution environment comprises:
 removing the authentication information of a user corresponding to a prior transmission from the virtualized execution environment; and 
 provisioning the virtualized execution environment with the authentication information of a user corresponding to the second transmission. 
 
 
     
     
       11. The non-transitory computer-readable media of  claim 10 , wherein, to generate the virtualized execution environment on the on-demand code execution system with privileges scoped to privileges of the user interacting with the network-accessible service, the instructions are executable on the computing system to restrict the virtualized execution environment to the actions on the network-accessible service allowed to be taken by the user. 
     
     
       12. The non-transitory computer-readable media of  claim 10 , wherein, to restrict the virtualized execution environment to the actions on the service allowed to be taken by the user, the instructions are executable on the computing system to implement at least one restriction for the virtualized execution environment on a host computing device hosting the virtualized execution environment. 
     
     
       13. The non-transitory computer-readable media of  claim 10 , wherein each user is associated with privileges denoting actions on the network-accessible service allowed to be taken by the user at least partly based on pre-established authorizations for the user. 
     
     
       14. The non-transitory computer-readable media of  claim 10 , wherein the instructions are further executable on the computing system to:
 determine authorizations indicating services to which the virtualized execution environment can issue calls; 
 detect a call generated by an execution of the code within the virtualized execution environment; and 
 modify the call to exclude at least a portion of the authentication information associated with a service not indicated within the authorizations.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.